Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging

by

Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Popular Stories

maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Friday February 20, 2026 3:21 am PST by
Apple is expected to launch a new foldable iPhone this year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that Apple will release its first foldable device in 2026. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that have been leaked about ...
Read Full Article95 comments
Apple Announces Special Event in New York Feature 1

Apple Reportedly Plans to Unveil at Least Five New Products Next Week

Sunday February 22, 2026 9:48 am PST by
In his Power On newsletter today, Bloomberg's Mark Gurman said Apple will have a three-day stretch of product announcements from Monday, March 2 through Wednesday, March 4. In total, he expects Apple to introduce "at least five products." A week ago, Apple invited selected journalists and content creators to an "Apple Experience" in New York, London, and Shanghai on Wednesday, March 4 at 9...
Read Full Article116 comments
Apple Watch 15 Tips Every Owner Needs to Know Feature

Apple Watch: 15 Tips Every Owner Needs to Know

Thursday February 19, 2026 7:38 am PST by
Apple Watch is now eleven generations in, and packed with useful features that are easy to miss at first glance. To help you get more out of your new device, we've rounded up 15 practical tips you might not have discovered yet, including a few that long-time users often overlook. Bounce Between Two Apps On your Apple Watch, double-press the Digital Crown to see a deck of all currently...
Read Full Article34 comments
Low Cost A18 Pro MacBook Feature Pink

Three Upcoming Apple Products Seemingly Spotted in macOS 26.3 Code

Friday February 20, 2026 7:36 am PST by
macOS 26.3 hints at Apple's rumored lower-cost MacBook, and two new Studio Display models, according to Macworld's Filipe Espósito. Espósito found the following codenames within macOS 26.3's source code, and he revealed the upcoming products that they likely correspond with, based on previous reporting from Bloomberg's Mark Gurman and others. The codenames:J700: Lower-cost MacBook J427:...
Read Full Article87 comments
Dynamic Island iPhone 18 Pro Feature

10 Reasons to Wait for Apple's iPhone 18 Pro

Wednesday February 18, 2026 5:12 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article95 comments

Top Rated Comments

W
WilliamG
149 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Score: 24 Votes (Like | Disagree)
HiRez Avatar
HiRez
149 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
Score: 21 Votes (Like | Disagree)
sniffies Avatar
sniffies
149 months ago
InAppGate

BrowserGate

FMLgate
Score: 16 Votes (Like | Disagree)
EdgardasB Avatar
EdgardasB
149 months ago
I'm sure he'll be crying into the billions Apple made this week.

Score: 10 Votes (Like | Disagree)
A
Apollo 13
149 months ago
this would be a problem on any phone not just a ios device.
Score: 10 Votes (Like | Disagree)
HiRez Avatar
HiRez
149 months ago
I'm sure he'll be crying into the billions Apple made this week.
Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
Score: 9 Votes (Like | Disagree)
Read All Comments